Patches to W2K overshadow the imminent arrival of the next
generation of Microsoft OS
Fresh Microsoft milestones are in sight. In less than a month the
software giant will launch two momentous new releases to a fanfare
of publicity. Windows 2003 will be its most important new operating
system in three years. Visual Studio .net 2003 will, the company
hopes, elevate web services on to the user community's agenda for
good.
With so much at stake in the coming weeks Microsoft must have
cursed the timing of last week's problems with a vulnerability in
Internet Information Server on Windows 2000.
Much was made of Bill Gates' launch of the Trustworthy Computing
Initiative in January 2002, when he vowed to make security a top
priority in software development. One year on, the patch problem
shows little sign of subsiding. Judging by its past track record,
can we expect Microsoft to produce trustworthy software? And, if
not, where is the incentive to commit more time and money to
Microsoft upgrades in the future?
Security vulnerabilities are a fact of life. In Microsoft's
defence, it took a proactive approach in dealing with this latest
threat, working hard to combat it and alerting key users to it. It
should also be said that, if Microsoft seems to hog the security
spotlight, it is only reflective of the great contribution that its
software has made to the personal and business computing
revolution. Good, ubiquitous software is bound to draw unwelcome
attention.
But the fact remains that regular Microsoft alerts, patches and
service packs continue to blight IT managers' working days, so much
so that they are beginning to ignore available fixes and take their
chances.
The Slammer worm proved that IT users were disinclined to devote
time to loading patches, until it was too late. Perhaps in response
to this shift in attitude, Microsoft last week telephoned hundreds
of UK users to warn them of the IIS flaw. How embarrassing it must
have been, that the patch turned out to have some unforeseen
systems side-effects, and in some instances did not work.
Even a patch that eventually does its job first needs to be tested
on non-critical systems, and requires servers to be shut down and
rebooted before it can be released in the wild. In contrast,
workarounds, which do not require servers to be rebooted, and whose
impact on business can be predicted, will often suffice.
Microsoft needs to rethink the approach it takes to plugging
vulnerabilities, and to reassess its reliance on patches.
Meanwhile, IT managers face the dilemma of whether to ignore fixes
or to implement them and risk further disrupting business. It is a
dilemma that leaves us a long way from secure computing.
With luck, the release of Windows 2003 will go some way towards
resolving issues of security. Business communities around the globe
will be joining Microsoft in keeping their fingers crossed.
Microsoft patch gaffe sparks policy U-turn >>